Free Security Log Resources by Randy

Subject:

Identifies the account that requested the logon - NOT the user who just logged on. Subject is usually Null or one of the Service principals and not usually useful information. See New Logon for who just logged on to the sytem.

Security ID

Account Name

Account Domain

Logon ID

Logon Type:

This is a valuable piece of information as it tells you HOW the user just logged on. See 4624

New Logon:

The user who just logged on is identified by the Account Name and Account Domain. You can determine whether the account is local or domain by comparing the Account Domain to the computer name. If they match, the account is a local account on that system, otherwise a domain account. See New Logon field description at 4624

Security ID: the SID of the account

Account Name: Logon name of the account

Account Domain: Domain name of the account (pre-Win2k domain name)

Logon ID: Semi-unique logon session ID number

Events in sequence:

If a user is member to too many groups to document in one event Windows will log multiple instances of this event.

Group Membership:

This is where all the groups are listed to whom the user belonged at time of logon.

This event has been tested with a domain account in a domain joined Windows 10 computer and we can confirm this event includes:

the local groups on that computer to which the user belongs

domain groups to which the user belongs

all groups, including groups the user is a member of by virtue of nested group membership

special principle SIDs the user has in their user token such as INTERACTIVE or NETWORK depending on type of logon. AKA Well Known SIDs